Deep Security Virtual Appliance (Agentless) does not work with a pure Citrix environment (ie. VMs running on Citrix XenServer).

For these environments, the physical agent based solution is recommended. Install the Agents in the Master Golden Image (deactivated mode) and then perform Agent based activation in the provisioning process. We can mention the policy in the script or use an Event Based Task to assign the correct policy based on the attributes available (I.e. Computer Name).

Steps to setup the Master Golden Image.

We need to install an un-activated Deep Security Agent on the Golden Image in the Citrix Xen Server environment and uninstall any other 3rd party anti-malware software from the Golden Image as this will cause scan contentions and Trend will take care of the Anti-Virus Windows Notification.

In the Golden Image set the Environment Variables so that dsa_control will consider as the internal command.

Once the Master Golden Image is setup and ready , We need to create the New VM using the Machine Catalog in the Citrix Studio .

Pls check how to enable the activation for the new vm using the Active Directory integration in Trend DSM . We have the option called Event-Based Tasks and look the Activating the Event-Based Tasks blog for the steps.

If we dont have the AD integration with the OU folder structure in Trend DSM then we can get the command to activate the agent from the DPM – Help – Deployment Script option by selecting the appropriate Policy , Computer Group and the Relay Group. By having the BAT file in the GPO logon script , agent can be activated .

Before configuring it in the login script we can test the activation using the below command.

Pls note command have to be run in CMD prompt with runas Administrator.

To Automate the same we can use a login script and copy the command in to the batch file and apply it to the appropriate OU in the Group Policy as the user logon script or use SCCM and target the service installed to run the command so that it wont be applied to the other VMs.

In case if the user doesn’t have the administrator rights on the new VMs and there is no SCCM is used in the environment then we can use the tool called CPAU to activate the agent. This eliminates the need to grant administrator privileges to users who need to activate DSAs on their machines but are being prompted for a username and password.

To create a login script, use a third-party program called CPAU. This tool can encrypt the user’s credentials.

Copy the CPAU.exe and dsa_init.txt file to the Active directory location:

\\<active directory server>\sysvol\<domain>

For example: \\ad-dsm\SYSVOL\DC4ESXI.com\

DSA activation will initiate once users log on to their machines.

Once the Login Script is set , When user login in to the New VM , It will initiate the agent activation and in the Trend Console we can notice the New computer is activated with the appropriate policy .

Deep Security Agent and the Citrix target device driver

On Citrix PVS 6.0 Environment, if you plan on installing (In-Guest) Deep Security Agent, the Citrix Target device driver may not be able to connect successfully to the Provisioning Server due to a possible conflict.

Pls note on Machine creation services environment no need to do the below steps.

If you plan on installing Deep Security Agent on a Windows operating system that is connected to a PVS server using disk provisioning, the temporary workaround is to change the tbimdsa driver loading order during system startup from PNP_TDI to NDIS.

To do so, manually change the loading order of tbimdsa driver used by Deep Security Agent.

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tbimdsa

Add or modify String “Group” Value to: NDIS

Add or modify DWORD “Start” Value to: 0

By changing the (Group) from PNP_TDI to NDIS and Start value from 3 to 0, it allows tbimdsa driver to load after Citrix driver has loaded.

Reboot the machine and the PVS Target Device will be able to connect to the vDisk upon boot-up.

It says:
Deep Security Virtual Appliance (Agentless) does not work with a pure Citrix environment (ie. VMs running on Citrix XenServer).
So does that mean it will work in a XenDesktop vSphere environment?